Userspace Filesystem Encryption with EncFS

For a long time now, computer-related theft has been a real problem. The
most likely victims of these thefts are laptops and USB sticks, which are
obviously very easy to lift (and leave with). Desktop computers and backup
media are stolen less frequently. In all of these cases, much of the time, the
data stored in the media is more valuable than both the computer and the media.
An important question is how to protect valuable data in our computer's storage
areas.

Woes of Encryption

A solution may be to use gpg or similar
PKI-based file encryption, but that is still far from transparent and key
maintenance is still not very practical. When you consider that you may have to
work with several files at a time, this solution becomes even less
practical.

The immediate solution is to use an encrypted filesystem, which will encrypt
all of the data written into the filesystem and decrypt it on the fly when you
need to access it. Though this may solve most of the problems, it has
performance/privacy trade-offs; the encryption of your latest work may be good,
but the encryption of your favorite text editor or your browser's cache files may be unnecessary.

There's another partial solution related to partitioning on Linux: having
all of the system files on an unencrypted partition and the data files on an
encrypted partition. As a best-of-two-worlds solution, this seems to solve both
the performance and privacy problems, in theory. However, in real life, having
such a partitioning may not be easy; you may not have the rights to repartition
a multi-user system, or your hard disk layout may make it very difficult to
repartition.

The problem is bigger with USB sticks, for you may want to use those sticks
to store your private data as well as to exchange some other data with others,
probably Windows users. Having a filesystem-wide encryption scheme would
subvert that goal. Many projects have tried this classical approach. The most
famous are Loopback, CFS, and TCFS.

EncFS

A new and different approach to this problem is EncFS. EncFS runs in
userspace, meaning that you do not have to compile kernel modules or have
administrative rights. Its most important feature is being able to encrypt not
the whole filesystem or partitions, but separate directories. For its simple
usage and implementation, on a modern CPU the performance loss is almost
negligible, because even a 1.5GHz CPU waits often for RAM or hard disk I/O and
has enough power to perform encryption and decryption on the fly.

To install EncFS, you must first install Fuse and rlog. You can find SuSE 9.2
binary packages from Valient's home page. Debian users should use the
alien package converter tool to turn these into Debian-aware
.deb files with alien -d xxxx.rpm.

After installing these two packages, you can compile and install EncFS. At the time
of this writing, the current version is 1.2. When you have finished installing
all three packages, you can start making encrypted directories.

Using EncFS

Using encrypted directories is more like mounting any filesystem under
Linux. Create a real directory with all of your files, perhaps
/home/user/raw-crypt. You'll also have a mount point, perhaps
/home/user/crypt. When referring to the directories, however, be sure
to use absolute directory names (not just /usr/bin/crypt).

Then your encrypted directory is ready. To access it, refer to files in the crypt directory as normal. When you've finished, use:

fusermount -u /home/user/crypt

This unmounts the crypt directory, leaving the encrypted directory
crypt-raw on disk. Fortunately, it's pure rubbish to anyone but Tank
from the Matrix, with the exception of the file rights and sizes, which are
identical to the unencrypted ones. Apart from that, even the filenames have
changed.

One good thing about EncFS is that for making backups you do not have to
mount the crypt-raw directory. Instead, you can take a snapshot of the
encrypted directory and later decrypt it. For the file-by-file-basis
encryption, automated backup programs will even recognize the updated files and
will archive them.

There is also the matter of passwords. When you create an EncFS directory,
EncFS chooses a random password (one which is far more complex than any
password entered via the keyboard), encrypts the directory in question, and
finally encrypts the random password with your own chosen password. Because of
this, any time you change the access password, it only changes the password
used to encrypt the random one, making it unnecessary to re-encrypt all the
files.

As a whole, EncFS is a very good encryption alternative, with all of the speed
and well-thought-out practical solutions to otherwise big problems. EncFS
practically secures your data on laptops or USB sticks. You may even use it on
your desktop for securing important data.

KIVILCIM Hindistan
works as a full time computer security consultant with a CISSP, using Linux and Free Software as weapons of choice.